package com.test.util;

/**
 * Function:
 * 
 * @author tianfaming
 */
public class SqlInjectionFilter {

	private static final String[] SQL_INJECTION_DATA = { "exec ", "xp_", "sp_", ";", "declare ", "union ", "cmd", "+", "//", "..", ",", "'", "--",
	        "%", " 0x", "select ", "insert ", "update ", "delete ", "truncate ", "and ", "count ", "*", "chr", "mid", " master", "char", "drop",
	        "from ", "shutdown" };

	private static final String[] SQL_INJECTION_REPLACE_DATA = { "ｅｘｅｃ", "ｘｐ＿", "ｓｐ＿", "；", "ｄｅｃｌａｒｅ", "ｕｎｉｏｎ", "ｃｍｄ", "＋", "／／", "．．", "，", "＇",
	        "－－", "％", "０ｘ", "ｓｅｌｅｃｔ", "ｉｎｓｅｒｔ", "ｕｐｄａｔｅ", "ｄｅｌｅｔｅ", "ｔｒｕｎｃａｔｅ", "ａｎｄ", "ＣＯＵＮＴ", "＊", "ｃｈｒ", "ｍｉｄ", "ｍａｓｔｅｒ", "ｃｈａｒ", "ｄｒｏｐ", "ｆｒｏｍ",
	        "ｓｈｕｔｄｏｗｎ" };

	private static final String DEFAULT_SQL_INJECTION_REPLACE_DATA = "";

	/**
	 * 检验注入字符串 SqlInjectionStr 是否有非法字符
	 * 
	 * @param SqlInjectionStr
	 * @return
	 */
	public static boolean checkSqlInjectionData(String SqlInjectionStr) {
		if (SqlInjectionStr == null)
			SqlInjectionStr = "";// 确保SqlInjectionStr被初始化了
		String tempSqlInjectionStr = SqlInjectionStr.toLowerCase();
		for (int i = 0; i < SQL_INJECTION_DATA.length; i++) {
			int j = tempSqlInjectionStr.indexOf(SQL_INJECTION_DATA[i]);
			if (j != -1) {
				return true;// 含有非法字符
			}
		}
		return false;
	}

	/**
	 * 过滤注入字符串 SqlInjectionStr 中的非法字符
	 * 
	 * @param SqlInjectionStr
	 * @return
	 */
	public static String filterSqlInjectionData(String SqlInjectionStr) {
		if (SqlInjectionStr == null)
			SqlInjectionStr = "";// 确保SqlInjectionStr被初始化了
		String tempSqlInjectionStr = SqlInjectionStr.toLowerCase();
		for (int i = 0; i < SQL_INJECTION_DATA.length; i++) {
			try {
				if (i < SQL_INJECTION_REPLACE_DATA.length) {
					tempSqlInjectionStr = replace(tempSqlInjectionStr, SQL_INJECTION_DATA[i], SQL_INJECTION_REPLACE_DATA[i]);
				} else {
					tempSqlInjectionStr = replace(tempSqlInjectionStr, SQL_INJECTION_DATA[i], DEFAULT_SQL_INJECTION_REPLACE_DATA);
				}
			}
			catch (Exception e) {

			}
		}
		return tempSqlInjectionStr;
	}

	/**
	 * 字符串替换，将 source 中的 oldString 全部换成 newString
	 * 
	 * @param source
	 *            源字符串
	 * @param oldString
	 *            老的字符串
	 * @param newString
	 *            新的字符串
	 * @return 替换后的字符串
	 */
	public static String replace(String source, String oldString, String newString) {
		if (source == null) {
			return null;
		}
		StringBuffer output = new StringBuffer();

		int lengthOfSource = source.length(); // 源字符串长度
		int lengthOfOld = oldString.length(); // 老字符串长度

		int posStart = 0; // 开始搜索位置
		int pos; // 搜索到老字符串的位置

		while ((pos = source.indexOf(oldString, posStart)) >= 0) {
			output.append(source.substring(posStart, pos));

			output.append(newString);
			posStart = pos + lengthOfOld;
		}

		if (posStart < lengthOfSource) {
			output.append(source.substring(posStart));
		}

		return output.toString();
	}

	public static void main(String[] args) {
		// System.out.println(SqlInjectionFilter.checkSqlInjectionData("a"));
		System.out.println(SqlInjectionFilter.checkSqlInjectionData("adeletea"));
		System.out.println(filterSqlInjectionData("fasdfcmd hafdafm,mv..***....."));
	}
}